cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
Register for the monthly ISE Webinars to learn about ISE configuration and deployment.
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

122
Views
5
Helpful
3
Replies
Beginner

Controlling access to ISE PSNs for SSH Access

Hi Guys,

 

I'm trying to find out what the best way would be to control access to our ISE PSNs via SSH. At this moment SSH is enabled which permits access to the devices from almost anywhere in the LAN. 

 

Are there options to enable host based ACLs to permit access from only certain IP addresses/subnets?

 

Thank you

 

3 REPLIES 3
VIP Advocate

Re: Controlling access to ISE PSNs for SSH Access

Limited options on ISE for this, it's not like a switch VTY line where you can apply an ACL. You could however disable SSH completely, "no service sshd enable". At that point you would manage this from the CIMC or VMware console, enabling SSH when you need.
VIP Advocate

Re: Controlling access to ISE PSNs for SSH Access

Hi @VinnyR 

 

You can achieve this through the Admin Access List in the ISE GUI. I thought this only applied to GUI access, but I was pleasantly surprised to find that it also applies to the CLI access.

 

Having said that, I don't have a distributed deployment to test this on - in my case I am using all-in-one Node.

 

Below I tested this by only allowing my NOC to access ISE from a wired LAN subnet 192.168.100 /24

 

acl.PNG

 

 

Accessing the GUI from any other subnet will show this as a result:

 

oops.PNG

 

On the SSH access, you won't get a TCP connection success - the session will just hang.

 

Make sure you test this (or implement this) in a sensible manner.  I don't know how to revert this change if you should cut yourself off from the Admin GUI.  There doesn't seem to be a CLI command to revert the changes via console.  Be very careful!

 

 

Highlighted
Beginner

Re: Controlling access to ISE PSNs for SSH Access

Hi @VinnyR ,

 

@Arne Bier  as given you the best way , tested by me as well previous role.